SenseHeading fix = MinGW 2.0 Setup

**gnome01** · 11-13-2002, 08:17 PM

Thanks Guys for the help.. I added Elyon's code to it and compiled with no errors however I am getting a new error...

Here is the source..

Code:

// $Header: /usr/local/cvsroot/senseheading/senseheading.c,v 1.4 2002/11/05 23:36:03 hoihoi Exp $

#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#include <tlhelp32.h>
#include <time.h>

#define CONF_FILE "C:/hh.conf"
#define CONF_SIZE 16

struct CONFIG
{
	unsigned long long SessionKeyLocation;
	unsigned int SendInterval;
	char seq_ip[16];
	int seq_port;
} config;

int SendSessionKey(unsigned long long SessionKey);

void readkey (HANDLE hProcess, int useConfig)
{
	while (1)
	{
		unsigned long addr;
		unsigned long long key = 0xffffffffffffffff;

		char keypressing;

		if (useConfig == 0)
		{
			printf ("\nenter offset (ie: 0x00773b90): ");
			if (scanf ("%08x", &addr) == 1)
			{
				printf ("offset:\t0x%08x\n", addr);
			}
		}
		else
			addr = config.SessionKeyLocation;

		if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
		{
			printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
		}
		else
		{
			printf ("Session key:\t0x%016I64x\n", (unsigned long long) key);

			if ( useConfig == 1)
			{
				if (SendSessionKey(key) != SOCKET_ERROR)
					printf("Sent the session key to %s:%d\n", config.seq_ip, config.seq_port);
				else
					printf("Failed to send the session key to %s:%d\n", config.seq_ip, config.seq_port);
			}

			if (config.SendInterval != 0)
				sleep(config.SendInterval*1000);
			else
			{
				printf("\nPress some key to continue");
				scanf("%s", &keypressing);
			}
		}
	}

	fflush (stdin);
}

int scanproclist ( int useConfig )
{
    HANDLE         hProcessSnap = NULL;
    PROCESSENTRY32 pe32      = {0};

    //  Take a snapshot of all processes in the system.
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hProcessSnap == INVALID_HANDLE_VALUE)
        return 0;

    //  Fill in the size of the structure before using it.
    pe32.dwSize = sizeof(PROCESSENTRY32);

    if (Process32First(hProcessSnap, &pe32))
    {
		HANDLE hProcess;

        do
        {
            LPSTR pCurChar;
			char pName[512];

            // strip path and leave exe filename
            for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
                 *pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
                 --pCurChar)

            strcpy(pName, pCurChar);
			strlwr(pName);

			if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
			{
				printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
				hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
				if (hProcess == NULL)
				{
					DWORD dw;
					dw = GetLastError();
					printf ("OpenProcess failed, error: %u\n", dw);
					return 0;
				}
				readkey (hProcess, useConfig);
			}
	  }
        while (Process32Next(hProcessSnap, &pe32));
    }

    CloseHandle (hProcessSnap);
    return 0;
}


int ReadConfig (void)
{
	int useConfig = 0;
	char conf_buffer[CONF_SIZE];

	GetPrivateProfileString("Client", "SessionKeyLocation", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	config.SessionKeyLocation = strtol(conf_buffer,NULL,16);

	GetPrivateProfileString("Client", "SendInterval", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	config.SendInterval = atoi(conf_buffer);

	GetPrivateProfileString("ShowEQ", "IP", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	strcpy(config.seq_ip, conf_buffer);

	GetPrivateProfileString("ShowEQ", "Port", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	config.seq_port = atoi(conf_buffer);

	if (config.SessionKeyLocation > 0)
		useConfig = 1;

	return useConfig;
}

int SendSessionKey(unsigned long long SessionKey)
{
	int ret;
	WSADATA wsd;
	SOCKET ssocket;
	SOCKADDR_IN seq;

	if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
	{
       printf("WSAStartup failed!\n");
	   return SOCKET_ERROR;
	}

	ssocket = socket(AF_INET, SOCK_DGRAM, 0);
	if (ssocket == INVALID_SOCKET)
	{
		printf("socket() failed; %d\n", WSAGetLastError());
		return SOCKET_ERROR;
	}

	seq.sin_family = AF_INET;
	seq.sin_port = htons((short)config.seq_port);
	seq.sin_addr.s_addr = inet_addr(config.seq_ip);

	ret = sendto(ssocket, (char *) &SessionKey, sizeof(unsigned long long), 0, (SOCKADDR *)&seq, sizeof(seq));
	if (ret == SOCKET_ERROR)
		return SOCKET_ERROR;

	closesocket(ssocket);
	WSACleanup();

	return 0;
}
int main(void) 
{ 
if (ReadConfig() == 1) { 
printf("config file name is: %s \n", CONF_FILE) ; 
while (1) { 
printf ("scanning for game\n"); 
scanproclist(1); 
Sleep (10000); /* pause 10 seconds between checks */ 
} 
} 
else { 
printf("error reading config file: %s \n", CONF_FILE) ; 
exit (1) ; 
} 

return 0; 
}

Error is: Error reading config file: c:/hh.conf

conf file posted above with my other post.

**MightyWarrior** · 11-14-2002, 08:00 AM

gnome01 replace this text

#define CONF_FILE "C:/hh.conf"

with this text

#define CONF_FILE "C:\hh.conf"

I think that will fix your problem if not try

#define CONF_FILE "C:\\hh.conf"

Hope that helps

MightyWarrior

**fryfrog** · 11-14-2002, 08:15 AM

i think you need to use the non standard \ instead of /...

also, if you use ./ (er, .\?) instead of a full path i think it looks in the current directory for the conf file.

Code:

#define CONF_FILE "./hh.conf"

**who_me_use_seq** · 11-14-2002, 08:59 AM

actually "/" is standard. We were saddled with the "\" when Gates stole CP/M and attempted to make it look less like naked plagerism.

"Sig?.......Yeah I have a sig......I am working on it......And it will be big and flashy......And take up 2 pages......Yeah that is the ticket."

**gnome01** · 11-14-2002, 02:12 PM

PROBLEM FIXED... it's kinda silly what was wrong but.. hh.conf was a notepad file so you need to make it:

#define CONF_FILE "C:\hh.conf.txt"

Thanks for the posts.!

**fryfrog** · 11-14-2002, 02:15 PM

as a way of fixing THAT without having to re-compile your sniffer... you could have turned on the ability in windows to see "file extensions for known type" or something like that, then just renamed it from "hoihoi.conf.txt" to "hoihoi.conf" :)

**gnome01** · 11-14-2002, 02:41 PM

yeah fry, I obviouslly had that off =p....

ok here's another question. Now that I have everything working and such, and we all know you can only open this sniffer at the character screen (not when actually in a zone). Would there be a way to make it so you can open this when in a zone and it would actually get the PID and send the key off to linux box? The main reason I want the program to do this is because it will reduce the chance of being cought the less I use it. So mainly I could just open it, watch it send the key, close it, done...(repeat after zoning etc) =)

Thanks

**The Mad Poet** · 11-14-2002, 04:26 PM

The main reason I want the program to do this is because it will reduce the chance of being cought the less I use it.

Don't presume this - I know that this idea has floated around the boards - but if they run checks on the memory and detect the read then it doesn't matter how often you read the memory - you will get caught.

We already know they do some checks on memory and that they DO send info to the server - they are experienced in this regard.

For example:

There was a hack where you could directly write some hex to memory and alter your run speed to beyond GM levels - this is known as the 'run speed hack' - Verant put checks into the code to watch the checksum of the memory and when it was altered then they sent a flag over to the Verant HQ and banned the account that did this.

*THIS* is what caused the mass bannings way back when - only thing is somehow they either got a glitch or realised they couldn't afford to ban so many and then reinstated alot of accounts - they could have been working on fear factor to make people realise that this can happen in MASS.

Remember that Verant does work with FUD factor involved and the more they can do to make you look over your shoulder if they think you are doing something wrong then the more they win. It is very easy to put a checksum into the code to watch certain variables so that direct memory hacks are caught - the problem is how are they going to read the memory read - because a read is passive it really doesn't alter anything and therefore is harder to detect.

The theory sofar however is that the process used to read the memory in this and other programs is attaching a debug call to the process - this can throw an exception and if VI is checking for this they can then just send a flag to the server (a byte or less in any packet sent to the server) and wham - you are flagged.

If you want to check this 'feature' out - go buy a copy of Everquest Classic - then do a search for the run speed hack on the web - use it on the new account - within a few days your account *will* be banned.

**gnome01** · 11-14-2002, 05:50 PM

do they only flag accounts? or IP's as well?

**The Mad Poet** · 11-14-2002, 06:03 PM

I've never been banned so I don't know...

going off of info 2nd had I'd say just accounts - people who run 'hacks' tend to pick up the 9 dollar version to test the hack on to see if it will get them banned first....

**a_necro00** · 11-14-2002, 06:44 PM

Sorry mad poet you are wrong in this thing.

This is from another of my posts:

As mvern and Mr. Spock confirmed in this thread: http://seq.sourceforge.net/showthrea...&threadid=2359 (end of page 3).
SOE could not use the function IsDebuggerPresent() to catch the sniffers that only use OpenProcess() and ReadProcessMemory(),
even if they have the access for debugging. At least one point for our side.

You need to call DebugActiveProcess() to set the flag.

Is good to be afraid of SOE, just not that afraid.

Edit: Fixed the weird URL

**The Mad Poet** · 11-14-2002, 06:50 PM

I'm not saying that is written in stone - just that there is a possiblity - I have a feeling they are trying to figure out a way to detect it myself.

The point is still correct though - if they can detect the memory read then it doesn't matter if your program runs for .001 seconds or stays up 24x7...

But it's good to know the info about the trap =) Thanks!

*edit*
er ... and yer link didn't work search is gud

**a_necro00** · 11-14-2002, 07:15 PM

Yes Mad Poet.

That's another thing, today finally someone posted a very good doc that has good examples of how to hook API Calls (I am glad that you like to search

). I started a week ago the discussion on another thread based on something that I read and was unable to find, now is a reality and they can use that way if they were dumb.

Now, we should expect that and check if the ReadProcessMemory() has being hooked (careful, probably AntiVirus and Memory Optimizers already hook it). It will start a war between our side and their side.

I personally think that they will not do it, because they can impact performance and introduce bugs. But who knows?

Ohh, I fixed the URL on the another post.

**eronj** · 11-15-2002, 05:56 PM

using dev-c++ 4.9.6.0
heres the error

line 96 unterminated error constant
heres the code

*pCurChar != '\' && pCurChar != pe32.szExeFile - 1;

I have added the extra \ but then i get a lot more errors.

Could it be my compiler?

**CBiLL** · 11-15-2002, 10:05 PM

Using this code and Cywin gcc .. I get this :

In file included from senseheading.c:5:
/usr/include/w32api/winsock2.h:95:2: warning: #warning "fd_set and associated macros have been defined in sys/types. This may cause runtime problems with W32 sockets"

CBiLL

Thread: SenseHeading fix = MinGW 2.0 Setup

Thread Tools

Rate This Thread

Display

Current sniffers DO NOT set the debugged flag

Ok. but is another thing, more serious now

copiler error

Thread Information

Users Browsing this Thread

Posting Permissions